latchset / ipa-custodia-selinux Goto Github PK

View Code? Open in Web Editor NEW

0.0 0.0 2.0 25 KB

SELinux policies for FreeIPA's ipa-custodia.service

License: GNU General Public License v3.0

Shell 18.53% Roff 73.92% Makefile 7.54%

ipa-custodia-selinux's People

Contributors

Watchers

Forkers

wrabcak lslebodn

ipa-custodia-selinux's Issues

Transition to a different context when execusting binaries

When executing binaries like /usr/bin/pki we should transition to adifferent dopmain so rules like allow execmem are only given to the specific bianry and not necesary for the whole custodia process. In general this wil allow to restrict what can access ther nss databases too.

Handle additional AVCs

@wrabcak here are some more AVCs with explanation.

ipa-custodia start

type=AVC msg=audit(1492697537.948:2819): avc:  denied  { open } for  pid=17847 comm="ipa-custodia" path="/var/log/ipa-custodia.audit.log" dev="dm-0" ino=275886 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492697538.114:2820): avc:  denied  { execute } for  pid=17848 comm="ipa-custodia" name="ldconfig" dev="dm-0" ino=4793 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492697538.114:2821): avc:  denied  { read open } for  pid=17848 comm="ipa-custodia" path="/usr/sbin/ldconfig" dev="dm-0" ino=4793 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492697538.114:2822): avc:  denied  { execute_no_trans } for  pid=17848 comm="ipa-custodia" path="/usr/sbin/ldconfig" dev="dm-0" ino=4793 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492697537.618:2818): avc:  denied  { write } for  pid=17847 comm="ipa-custodia" name="nss" dev="dm-0" ino=270508 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1492697538.153:2823): avc:  denied  { net_admin } for  pid=17847 comm="ipa-custodia" capability=12  scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=capability permissive=1

/var/log/ipa-custodia.audit.log
ldconfig is probably coming from Python's ctypes module. ctypes.util.find_library() runs ldconfig to locate shared library

ipa-replica-install --setup-ca

type=AVC msg=audit(1492700622.817:3544): avc:  denied  { connectto } for  pid=19970 comm="httpd" path="/run/httpd/ipa-custodia.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1492700622.829:3545): avc:  denied  { search } for  pid=20363 comm="ipa-custodia" name="19970" dev="proc" ino=264879 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1492700622.830:3546): avc:  denied  { read } for  pid=20363 comm="ipa-custodia" name="loginuid" dev="proc" ino=264880 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492700622.830:3547): avc:  denied  { open } for  pid=20363 comm="ipa-custodia" path="/proc/19970/loginuid" dev="proc" ino=264880 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492700622.830:3548): avc:  denied  { getattr } for  pid=20363 comm="ipa-custodia" path="/proc/19970/loginuid" dev="proc" ino=264880 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492700622.944:3549): avc:  denied  { dac_override } for  pid=20363 comm="ipa-custodia" capability=1  scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1492700622.945:3550): avc:  denied  { read } for  pid=20363 comm="ipa-custodia" name="password.conf" dev="dm-0" ino=281608 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492700622.945:3551): avc:  denied  { open } for  pid=20363 comm="ipa-custodia" path="/etc/pki/pki-tomcat/password.conf" dev="dm-0" ino=281608 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492700622.945:3552): avc:  denied  { getattr } for  pid=20363 comm="ipa-custodia" path="/etc/pki/pki-tomcat/password.conf" dev="dm-0" ino=281608 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492700841.361:3598): avc:  denied  { connectto } for  pid=19974 comm="httpd" path="/run/httpd/ipa-custodia.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=unix_stream_socket permissive=1

Custodia looks into /proc/PID and uses /proc/PID/loginuid to authenticate processes
/etc/pki/pki-tomcat/password.conf is read to open the NSS database with private keys

ipa-kra-install

type=AVC msg=audit(1492701017.714:3633): avc:  denied  { search } for  pid=20507 comm="ipa-custodia" name="20462" dev="proc" ino=275475 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1492701317.490:3734): avc:  denied  { connectto } for  pid=21947 comm="httpd" path="/run/httpd/ipa-custodia.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1492701317.502:3735): avc:  denied  { search } for  pid=22045 comm="ipa-custodia" name="21947" dev="proc" ino=295678 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1492701317.502:3736): avc:  denied  { read } for  pid=22045 comm="ipa-custodia" name="loginuid" dev="proc" ino=298094 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701317.502:3737): avc:  denied  { open } for  pid=22045 comm="ipa-custodia" path="/proc/21947/loginuid" dev="proc" ino=298094 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701317.502:3738): avc:  denied  { getattr } for  pid=22045 comm="ipa-custodia" path="/proc/21947/loginuid" dev="proc" ino=298094 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701317.641:3739): avc:  denied  { dac_override } for  pid=22045 comm="ipa-custodia" capability=1  scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1492701317.641:3740): avc:  denied  { read } for  pid=22045 comm="ipa-custodia" name="password.conf" dev="dm-0" ino=281608 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701317.641:3741): avc:  denied  { open } for  pid=22045 comm="ipa-custodia" path="/etc/pki/pki-tomcat/password.conf" dev="dm-0" ino=281608 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701317.641:3742): avc:  denied  { getattr } for  pid=22045 comm="ipa-custodia" path="/etc/pki/pki-tomcat/password.conf" dev="dm-0" ino=281608 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file permissive=1

ipa ca-add

type=AVC msg=audit(1492701579.053:3796): avc:  denied  { read } for  pid=22190 comm="ipa-custodia" name="password.conf" dev="dm-0" ino=281608 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701579.053:3795): avc:  denied  { dac_override } for  pid=22190 comm="ipa-custodia" capability=1  scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1492701579.054:3797): avc:  denied  { open } for  pid=22190 comm="ipa-custodia" path="/etc/pki/pki-tomcat/password.conf" dev="dm-0" ino=281608 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701579.054:3798): avc:  denied  { getattr } for  pid=22190 comm="ipa-custodia" path="/etc/pki/pki-tomcat/password.conf" dev="dm-0" ino=281608 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701579.085:3799): avc:  denied  { read } for  pid=22191 comm="pki" name="passwd" dev="dm-0" ino=281800 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701579.086:3800): avc:  denied  { open } for  pid=22191 comm="pki" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=281800 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701579.086:3801): avc:  denied  { getattr } for  pid=22191 comm="pki" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=281800 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701579.086:3802): avc:  denied  { write } for  pid=22191 comm="pki" name="nss" dev="dm-0" ino=270508 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1492701579.086:3803): avc:  denied  { connectto } for  pid=22191 comm="pki" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1492701579.133:3804): avc:  denied  { create } for  pid=22191 comm="pki" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1492701579.133:3805): avc:  denied  { bind } for  pid=22191 comm="pki" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1492701579.133:3806): avc:  denied  { node_bind } for  pid=22191 comm="pki" saddr=::1 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1492701579.143:3807): avc:  denied  { execute } for  pid=22192 comm="pki" name="ldconfig" dev="dm-0" ino=4793 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701579.143:3808): avc:  denied  { read open } for  pid=22192 comm="pki" path="/usr/sbin/ldconfig" dev="dm-0" ino=4793 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701579.143:3809): avc:  denied  { execute_no_trans } for  pid=22192 comm="pki" path="/usr/sbin/ldconfig" dev="dm-0" ino=4793 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492701579.913:3812): avc:  denied  { execmem } for  pid=22198 comm="java" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=process permissive=1

The FreeIPA custodia plugin run /usr/bin/pki to extract private key material for sub CAs. The command is a Python script that runs a Java command to interact with Dogtag PKI.

RHEL 7.4 AVCs

# rpm -qa selinux-policy custodia ipa-server
ipa-server-4.5.0-7.el7.x86_64
custodia-0.3.1-2.el7.noarch
selinux-policy-3.13.1-144.el7.noarch

type=AVC msg=audit(1492776915.640:1159): avc:  denied  { create } for  pid=13406 comm="ipa-custodia" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=udp_socket
type=AVC msg=audit(1492776915.640:1160): avc:  denied  { connect } for  pid=13406 comm="ipa-custodia" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=udp_socket
type=AVC msg=audit(1492776915.641:1161): avc:  denied  { getattr } for  pid=13406 comm="ipa-custodia" path="socket:[103026]" dev="sockfs" ino=103026 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=udp_socket
type=AVC msg=audit(1492776916.210:1163): avc:  denied  { create } for  pid=13413 comm="java" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1492776916.211:1164): avc:  denied  { bind } for  pid=13413 comm="java" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1492776916.211:1165): avc:  denied  { getattr } for  pid=13413 comm="java" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1492776916.211:1166): avc:  denied  { nlmsg_read } for  pid=13413 comm="java" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1492777248.176:1241): avc:  denied  { create } for  pid=13664 comm="ipa-custodia" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=udp_socket
type=AVC msg=audit(1492777248.176:1242): avc:  denied  { connect } for  pid=13664 comm="ipa-custodia" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=udp_socket
type=AVC msg=audit(1492777248.177:1243): avc:  denied  { getattr } for  pid=13664 comm="ipa-custodia" path="socket:[111728]" dev="sockfs" ino=111728 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=udp_socket
type=AVC msg=audit(1492777421.112:1278): avc:  denied  { create } for  pid=13725 comm="java" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1492777421.112:1279): avc:  denied  { bind } for  pid=13725 comm="java" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1492777421.112:1280): avc:  denied  { getattr } for  pid=13725 comm="java" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1492777421.112:1281): avc:  denied  { nlmsg_read } for  pid=13725 comm="java" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=netlink_route_socket

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.